digital-asset · yves-da · Jan 7, 2026 · Jan 6, 2026
diff --git a/community/LICENSE-open-source-bundle.txt b/community/LICENSE-open-source-bundle.txt
@@ -186,7 +186,7 @@
       same "printed page" as the copyright notice for easier
       identification within third-party archives.
 
-   Copyright (c) 2025 Digital Asset (Switzerland) GmbH and/or its affiliates
+   Copyright (c) 2026 Digital Asset (Switzerland) GmbH and/or its affiliates
 
    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.

diff --git a/...t/canton/integration/tests/examples/OpenSslOfflineRootKeyDemoExampleIntegrationTest.scala b/...t/canton/integration/tests/examples/OpenSslOfflineRootKeyDemoExampleIntegrationTest.scala
@@ -7,30 +7,39 @@ import better.files.File
 import com.daml.nonempty.NonEmpty
 import com.digitalasset.canton.crypto.Fingerprint
 import com.digitalasset.canton.integration.CommunityIntegrationTest
-import com.digitalasset.canton.integration.plugins.UseH2
 import com.digitalasset.canton.integration.tests.examples.ExampleIntegrationTest.examplesPath
 import com.digitalasset.canton.integration.tests.examples.OpenSslOfflineRootKeyDemoExampleIntegrationTest.demoFolder
 import com.digitalasset.canton.topology.admin.grpc.TopologyStoreId.Authorized
 import com.digitalasset.canton.topology.transaction.{DelegationRestriction, TopologyMapping}
+import org.scalatest.BeforeAndAfterEach
 import org.scalatestplus.scalacheck.ScalaCheckPropertyChecks
 
 object OpenSslOfflineRootKeyDemoExampleIntegrationTest {
   lazy val demoFolder: File = examplesPath / "10-offline-root-namespace-init"
 }
 
-sealed abstract class OpenSslOfflineRootKeyDemoExampleIntegrationTest
+class OpenSslOfflineRootKeyDemoExampleIntegrationTest
     extends ExampleIntegrationTest(
       demoFolder / "manual-init-example.conf"
     )
     with CommunityIntegrationTest
-    with ScalaCheckPropertyChecks {
+    with ScalaCheckPropertyChecks
+    with BeforeAndAfterEach {
 
   override def afterAll(): Unit = {
     super.afterAll()
     // Delete the temp files created by the test
     (demoFolder / "tmp").delete(swallowIOExceptions = true)
   }
 
+  override def afterEach(): Unit =
+    List(
+      "canton-examples.init-script",
+      "canton-examples.openssl-signature-algorithm",
+      "canton-examples.openssl-script-dir",
+      "canton-examples.openssl-keys-dir",
+    ).foreach(System.clearProperty)
+
   private def delegationRestrictions(
       fingerprint: Fingerprint
   )(implicit env: FixtureParam) = {
@@ -45,79 +54,71 @@ sealed abstract class OpenSslOfflineRootKeyDemoExampleIntegrationTest
       .restriction
   }
 
-  "run offline root namespace key init demo" in { implicit env =>
-    import env.*
+  List(
+    ("openssl-example-ec256.sh", "ecdsa256"),
+    ("openssl-example-ed25519.sh", "ed25519"),
+  ).foreach { case (script, keySpec) =>
+    s"run offline root namespace key init demo for $keySpec" in { implicit env =>
+      import env.*
 
-    val tmpDir = better.files.File.newTemporaryDirectory("tmp")
-    ExampleIntegrationTest.ensureSystemProperties(
-      "canton-examples.openssl-script-dir" -> demoFolder.pathAsString
-    )
-    ExampleIntegrationTest.ensureSystemProperties(
-      "canton-examples.openssl-keys-dir" -> tmpDir.pathAsString
-    )
-    runScript(demoFolder / "bootstrap.canton")(environment)
-    participant1.is_initialized shouldBe true
-
-    // Check root key restrictions
-    delegationRestrictions(
-      participant1.id.fingerprint
-    ) shouldBe DelegationRestriction.CanSignAllMappings
-
-    val namespaceDelegationFingerprint = participant1.keys.public
-      .list()
-      .find(_.name.map(_.unwrap).contains("IntermediateKey"))
-      .value
-      .id
-
-    // Check intermediate key restrictions
-    delegationRestrictions(
-      namespaceDelegationFingerprint
-    ) shouldBe DelegationRestriction.CanSignAllButNamespaceDelegations
-
-    // Run the script adding a key with signing restrictions
-    runScript(demoFolder / "restricted-key.canton")(environment)
-
-    // Check restricted key restrictions
-    delegationRestrictions(
-      participant1.keys.public
+      ExampleIntegrationTest.ensureSystemProperties(
+        "canton-examples.init-script" -> script,
+        "canton-examples.openssl-signature-algorithm" -> keySpec,
+      )
+
+      val tmpDir = better.files.File.newTemporaryDirectory("tmp")
+      ExampleIntegrationTest.ensureSystemProperties(
+        "canton-examples.openssl-script-dir" -> demoFolder.pathAsString
+      )
+      ExampleIntegrationTest.ensureSystemProperties(
+        "canton-examples.openssl-keys-dir" -> tmpDir.pathAsString
+      )
+      runScript(demoFolder / "bootstrap.canton")(environment)
+      participant1.is_initialized shouldBe true
+
+      // Check root key restrictions
+      delegationRestrictions(
+        participant1.id.fingerprint
+      ) shouldBe DelegationRestriction.CanSignAllMappings
+
+      val namespaceDelegationFingerprint = participant1.keys.public
         .list()
-        .find(_.name.map(_.unwrap).contains("RestrictedKey"))
+        .find(_.name.map(_.unwrap).contains("IntermediateKey"))
         .value
         .id
-    ) shouldBe DelegationRestriction.CanSignSpecificMappings(
-      NonEmpty.mk(
-        Set,
-        TopologyMapping.Code.PartyToParticipant,
-        TopologyMapping.Code.PartyToKeyMapping,
+
+      // Check intermediate key restrictions
+      delegationRestrictions(
+        namespaceDelegationFingerprint
+      ) shouldBe DelegationRestriction.CanSignAllButNamespaceDelegations
+
+      // Run the script adding a key with signing restrictions
+      runScript(demoFolder / "restricted-key.canton")(environment)
+
+      // Check restricted key restrictions
+      delegationRestrictions(
+        participant1.keys.public
+          .list()
+          .find(_.name.map(_.unwrap).contains("RestrictedKey"))
+          .value
+          .id
+      ) shouldBe DelegationRestriction.CanSignSpecificMappings(
+        NonEmpty.mk(
+          Set,
+          TopologyMapping.Code.PartyToParticipant,
+          TopologyMapping.Code.PartyToKeyMapping,
+        )
       )
-    )
 
-    // Run the script revoking the delegation
-    runScript(demoFolder / "revoke-namespace-delegation.canton")(environment)
+      // Run the script revoking the delegation
+      runScript(demoFolder / "revoke-namespace-delegation.canton")(environment)
 
-    // Check the delegation is gone
-    participant1.topology.namespace_delegations
-      .list(
-        store = Authorized,
-        filterTargetKey = Some(namespaceDelegationFingerprint),
-      ) shouldBe empty
+      // Check the delegation is gone
+      participant1.topology.namespace_delegations
+        .list(
+          store = Authorized,
+          filterTargetKey = Some(namespaceDelegationFingerprint),
+        ) shouldBe empty
+    }
   }
 }
-
-final class OpenSslOfflineRootKeyDemoExampleIntegrationTestEc256
-    extends OpenSslOfflineRootKeyDemoExampleIntegrationTest {
-  registerPlugin(new UseH2(loggerFactory))
-  ExampleIntegrationTest.ensureSystemProperties(
-    "canton-examples.init-script" -> "openssl-example-ec256.sh",
-    "canton-examples.openssl-signature-algorithm" -> "ecdsa256",
-  )
-}
-
-final class OpenSslOfflineRootKeyDemoExampleIntegrationTestEd25519
-    extends OpenSslOfflineRootKeyDemoExampleIntegrationTest {
-  registerPlugin(new UseH2(loggerFactory))
-  ExampleIntegrationTest.ensureSystemProperties(
-    "canton-examples.init-script" -> "openssl-example-ed25519.sh",
-    "canton-examples.openssl-signature-algorithm" -> "ed25519",
-  )
-}
diff --git a/community/base/src/main/scala/com/digitalasset/canton/serialization/ProtoConverter.scala b/community/base/src/main/scala/com/digitalasset/canton/serialization/ProtoConverter.scala
@@ -80,15 +80,19 @@ object ProtoConverter {
     */
   def protoParser[A](parseFrom: CodedInputStream => A): ByteString => Either[BufferException, A] =
     bytes =>
-      Either
-        .catchOnly[InvalidProtocolBufferException](parseFrom(bytes.newCodedInput))
-        .leftMap(BufferException.apply)
+      try {
+        Right(parseFrom(bytes.newCodedInput))
+      } catch {
+        case e: InvalidProtocolBufferException => Left(BufferException(e))
+      }
 
   def protoParserArray[A](parseFrom: Array[Byte] => A): Array[Byte] => Either[BufferException, A] =
     bytes =>
-      Either
-        .catchOnly[InvalidProtocolBufferException](parseFrom(bytes))
-        .leftMap(BufferException.apply)
+      try {
+        Right(parseFrom(bytes))
+      } catch {
+        case e: InvalidProtocolBufferException => Left(BufferException(e))
+      }
 
   /** Helper for extracting an optional field where the value is required
     * @param field

diff --git a/community/base/src/main/scala/com/digitalasset/canton/util/HexString.scala b/community/base/src/main/scala/com/digitalasset/canton/util/HexString.scala
@@ -21,7 +21,19 @@ object HexString {
     )
   }
 
-  def toHexString(bytes: Array[Byte]): String = bytes.map(b => f"$b%02x").mkString("")
+  private val hexArray = "0123456789abcdef".toCharArray
+  @SuppressWarnings(Array("org.wartremover.warts.Var", "org.wartremover.warts.While"))
+  def toHexString(bytes: Array[Byte]): String = {
+    val hexChars = new Array[Char](bytes.length * 2)
+    var ii = 0
+    while (ii < bytes.length) {
+      val v = bytes(ii) & 0xff // mask to unsigned int
+      hexChars(ii * 2) = hexArray(v >>> 4) // leading bits
+      hexChars(ii * 2 + 1) = hexArray(v & 0x0f) // trailing bits
+      ii += 1
+    }
+    new String(hexChars)
+  }
 
   /** Parse a hex-string `s` to a byte array. */
   @SuppressWarnings(Array("org.wartremover.warts.AsInstanceOf"))

diff --git a/...ticipant/src/main/scala/com/digitalasset/canton/participant/event/AcsChangeListener.scala b/...ticipant/src/main/scala/com/digitalasset/canton/participant/event/AcsChangeListener.scala
@@ -3,12 +3,14 @@
 
 package com.digitalasset.canton.participant.event
 
+import com.daml.nonempty.NonEmpty
 import com.digitalasset.canton.ledger.participant.state.{
   AcsChange,
   AcsChangeFactory,
   AcsChangeFactoryImpl,
   ContractStakeholdersAndReassignmentCounter,
 }
+import com.digitalasset.canton.lifecycle.FutureUnlessShutdown
 import com.digitalasset.canton.logging.{HasLoggerName, NamedLoggingContext}
 import com.digitalasset.canton.participant.protocol.conflictdetection.CommitSet
 import com.digitalasset.canton.tracing.TraceContext
@@ -30,6 +32,10 @@ trait AcsChangeListener {
       traceContext: TraceContext
   ): Unit
 
+  def publish(acsChanges: NonEmpty[Seq[(RecordTime, AcsChange)]])(implicit
+      traceContext: TraceContext
+  ): FutureUnlessShutdown[Unit]
+
   def publish(toc: RecordTime, acsChangeFactoryO: Option[AcsChangeFactory])(implicit
       traceContext: TraceContext
   ): Unit